SSL certificate issues

Contents

Installing SSL certificates on your Cloud 66 stack is very easy: copy the key and certificate and paste them into the SSL certificate dialog. Cloud 66 then automatically transfers the certificates to all of your frontend servers and configures the web server to use them.

However, you always need to have the right SSL certificates and keys to use. Specifically, your SSL certificates need to:

  • Be input correctly for Nginx to start
  • Have no passphrase
  • Have the correct encoding
  • Match each other

Web server issues

If you’ve added your SSL certificate through the Cloud 66 UI and your web server has stopped serving content, it’s likely that there’s some error with your SSL certificate. In this case, it’s best to SSH to your server and run sudo service nginx restart, which should highlight the error.

Passphrase protected keys

You cannot use passphrase protected SSL certificate keys with Nginx. Using passphrase protected certificate keys will cause Nginx to prompt for the manual entry of passphrase at restart which will break the automatic deployment flow (and restart of Nginx after a server restart).

The symptoms of this is that your deployment gets stuck in the Restarting Nginx step.

You can simply use a non-passphrase-protected version of your SSL certificate key when adding an SSL key to your stack. Use the following command to do it (on your development computer):

$ openssl rsa -in private_key_with_pass_phrase -out private_key_without_pass_phrase

You will be prompted for your passphrase and the output will be generated after that.

Certificate and key encoding

Certificates and key files need to have only a new line character at the end (instead of both new line and carriage return characters). To see if that’s the case, you can open them in a text editor like TextMate and show the invisible characters.

TextMate Show Invisible Characters

This is an example of a wrong line ending:

Wrong Line Ending for SSL certificate

Matching certificates and keys

This problem usually manifests itself as the following error when starting nginx:

nginx: [emerg] SSL_CTX_use_PrivateKey_file("FILE.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

To make sure your key and certificate match correctly, use the OpenSSL commandline tool like this:

$ openssl rsa -noout -modulus -in FILE.key
$ openssl req -noout -modulus -in FILE.csr
$ openssl x509 -noout -modulus -in FILE.cer

If everything matches (same modulus), the files are compatible. If not, one of the file is not linked to the others.

Still need help? Contact Us Contact Us